alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN HZZP Scan in Progress calc in Headers"; flow:to_server,established; http.method; content:"GET"; http.header; content:"C|3a|/WINDOWS/system32/calc.exe"; content:"|0d 0a|"; within:9; pcre:"/^.+\x3a\s(test.)?C\:\/WINDOWS\/system32\/calc\.exe(.test)?\r$/m"; reference:url,www.krakowlabs.com/dev.html; classtype:attempted-recon; sid:2011028; rev:9; metadata:created_at 2010_07_30, confidence Medium, signature_severity Informational, updated_at 2020_09_14;)